We always think that the best protection against web-distributed malware is to exercise caution while browsing. But what if you aren’t even browsing in the classic sense, and an application renders a malware infested page? I found out this morning.
I grabbed my first cup of coffee this morning and launched the Windows 10 MSN News app. I’d been reading stories for about 30 minutes when a story in my “Microsoft” search tab caught my eye: “Microsoft Issues Black Friday Malware Warning”. It showed as being from the International Business Times, not one of the obscure sites that MSN News sometimes picks up. I clicked on the tile and started reading. Suddenly my Surface Book 2 started talking. The coffee wasn’t yet working so I couldn’t quite make out what was being said, but I thought “%^*%” auto-play video, so I clicked the back arrow to get rid of the page. The woman with the English accent didn’t stop talking. I killed MSN News, still she droned on. I clicked on Edge and there it was, the MSN News article had somehow launched a browser tab with some kind of phishing/ransomware/malware site.
What the woman was saying was something about my computer was found to have “pornographic malware” and that I had to contact them. I saw that the web page had a phone number on it, and darn but I was too busy trying to kill this to write it down. On top was a modal dialog box:
You’ll notice there is no checkbox for “prevent web page from launching dialog boxes”, or whatever Edge says. I killed the dialog box and saw that underneath was another dialog box with that checkbox. But before I could check it the above dialog box was back. At one point I did check it in time, only to have the web page try to go to full screen mode. Fortunately Edge let me block that. So this second dialog was apparently a fake as well.
Unable to do anything to kill this from within Edge I launched Task Manager. I really wanted to keep my other tabs so I tried killing just the process for the malicious one. It didn’t work, it just kept re-launching. I killed the top level process, re-launched Edge, and killed the malicious tab without opening it. Nope, that wasn’t enough. The malicious page came back to life. I went through the whole thing again and this time clicked on the tab to start fresh. Then I went into settings and cleared everything. This finally seemed to stop it.
Next came a scan, then an offline scan, with Defender. I followed that up with a Malwarebytes scan. Nothing. It looks like Edge managed to keep this beast from breaking through and making system changes, but I’m not confident about that yet. I’m going to take a deeper look before declaring victory.
Maybe the worst part of this is I have no way to report it to Microsoft, or anyone else. I couldn’t copy the offending URL from the address bar because of the modal dialog. And I discovered that when you go into Edge’s browser history you can either re-launch the page or delete the history item, but you can’t Copy the link. I spent some time looking around to see if Edge stored history in human readable format, but eventually gave up. I don’t see a way to report the bad story in MSN News, but now I’ll go try to find it elsewhere.
Bottom line: Don’t think that good browsing habits will save you. I’ve been using the MSN News app since it was first released with Windows 8, with this being the first malicious story I’ve found. And it was an infected web page on a mainstream site.
Update (11AM Eastern): I scanned the IBT web page for this story using several tools, such as Virustotal, and came up blank on any malware. So I viewed the story directly. Nothing bad happened. So while the problem occurred while I was viewing the IBT story in MSN News, it isn’t clear what really caused the malicious page to launch. Also went and checked the family member’s WiFi router I’m on and discovered it wasn’t up to my standards for security settings. I hardened that up.
Hal's (Im)Perfect Vision 
just spitballing but – put your computer in flight mode then open the window from history so you can capture the URL?
Hmm, might have worked and I’ve done that before. Also might have just pulled the page out of the cache. Anyway, I had an appointment to go to and wasn’t going to leave remnants on the machine for further investigation.
if you’re still digging and you didn’t delete it from history, you could see if this was really where it came from – but see also Twitter for a contact with feedback
Unfortunately, or fortunately, I had cleaned everything up before writing the blog post. So no history left to investigate.
This is something I deal with pretty much every single day with users. It can also happen on iPads and Macs. Many times, the offending site has already been blacklisted but apparently the bad guys can just keep creating them at will. Luckily many of my customers are trained to turn off the computer at this point. But when they restart the computer, and return to Edge, it comes back, sometimes, and sometimes there is a checkbox to “stop creating new windows” or whatever it says, and sometimes it even works.
The fix? Launch any website from the search bar, Cortana, or Start Menu, then close the browser immediately (as you will see the offending site still in another tab and visible); and then “close all tabs”. I don’t charge people to fix this because it is so easy for me and so hard for them to deal with. I’m not a developer but I suspect these guys simply create fake websites, with cartoons claiming there is something wrong, call this #.
My first instinct since I am just a lowly computer guy was to try and ask Microsoft in the forums, why can anyone or anything create a situation in which any Window can pop up on Windows that cannot simply be closed? Well let me tell you. Apparently, I was the idiot for wondering why. I’m sure you can get a straight answer from one of your contacts, and millions of average folks like myself await the answer.
So this happening on some random MSN news site that launched Edge doesn’t surprise me. In the old days when java and flash were running wild and updated on people’s machines, I may have been worried about a drive by infection, but not so much anymore. I just give them the turn it off turn it on answer and that’s about it. JF
I need to think about who to reach out to. There are a number of things in this scenario that bother me. Some old (like modal dialog boxes in a browser script) and some new (like why would the MSN News app ever launch Edge unless you explicitly told it to launch a story in a browser.
I was just able to reproduce the scenario, as i often can, by mis-typing the youtube website, using a V in place of the B. This works a lot and sometimes it doesn’t. But I just did it and it did. I was also able to check the box to not allow more Windows to pop up. Still average users aren’t always that smart, but it is better than nothing. Prompted me to enter my password hahah….
I live in a town with lots of older folks, many of them fall for this regularly, and I visit their banks often to help them change account info, after they 1. call the #, and 2. let the guy in for any # of hours to “fix”, the computer. Its a very sad situation for the older crowd as is most of technology. Older folks fall for this trick all the time, very often.
Often how this comes up on a “legitimate” site is they include third party ads, and a malicious ad contains the payload for the scam/malware/etc. The next time you visit, you aren’t served that ad again. Tricky to track down without capturing the details at the time of attack, which as you found out, is almost impossible in some scenarios